Whitelisting didn’t work, and I wasn’t using the POST Request Attack Protection Bonus Custom Code. I did, however, add the bonus code, but it didn’t help. I noticed a NONCE in there, and I also found that occurs on the front end as well with a BFHS event code instead.
I’m guessing it is an issue with the s2member plugin. I’ve disabled every other plugin except that one, as it is needed for the user edit. I’ll have to take it up with them unless you have any other ideas.